b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n  SECURITY CONTROLS OVER THE\n  IMPLEMENTATION OF PERSONAL\n IDENTITY VERIFICATION CARDS AT\n THE DEPARTMENT OF HEALTH AND\n     HUMAN SERVICES WERE\nINADEQUATE DUE TO LACK OF SOME\nESSENTIAL INFORMATION SECURITY\n         REQUIREMENTS\n\n\n\n  Inquiries about this report may be addressed to the Office of Public Affairs at\n                           Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                           Thomas M. Salmon\n                                        Assistant Inspector General\n                                             for Audit Services\n\n                                                 July 2014\n                                               A-18-12-30410\n\x0c                    Office of Inspector General\n                                     https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c Security controls over the implementation of Homeland Security Presidential Directive\n 12 at the Department of Health and Human Services were inadequate because essential\n information security requirements were not implemented.\n\n\nThis report provides an overview of the results of our audit of the Department of Health and\nHuman Services (HHS) implementation of Homeland Security Presidential Directive 12\n(HSPD-12). Due to the sensitive nature of the specific findings identified during our audit, only\na summary of the findings are included in this report. We have provided more detailed\ninformation and recommendations to HHS so that it can address the issues we identified.\n\nWHY WE DID THIS REVIEW\n\nThe HSPD-12, \xe2\x80\x9cPolicy for a Common Identification Standard for Federal Employees and\nContractors,\xe2\x80\x9d August 27, 2004, mandated the promulgation by 2006 of a Federal standard for\nsecure and reliable forms of identification for Federal employees and contractors and mandates\nthe use of governmentwide identification credentials for employees and contractors. The\nHSPD-12 and other Federal guidance require executive departments and agencies to (1)\nimplement the standard for identification issued to Federal employees and contractors in gaining\nphysical access to controlled facilities and logical access (the authorized and authenticated access\nto computer applications and data files) to controlled information systems and (2) implement and\nmaintain adequate security for all their support systems and applications. We evaluated HHS\xe2\x80\x99\nprogress in implementing a reliable and effective system of personal identity verification (PIV)\nin compliance with the HSPD-12.\n\nOur objective was to determine whether HHS complied with Federal guidance when\nimplementing its HSPD-12 system.\n\nBACKGROUND\n\nFederal guidance has established the minimum architecture and technical requirements for a\nFederal personal identification system, including requirements for PIV, registration, card\nissuance, and interoperability of PIV credentials and systems among Federal Departments and\nagencies, as well as detailing technical specifications. Federal guidance also provides a\ncomprehensive framework for ensuring the effectiveness of information security controls over\ninformation resources and provides for development and maintenance of the minimum controls\nrequired to protect Federal information and information systems.\n\nHHS\xe2\x80\x99s mission is to protect the health of all Americans and provide essential human services,\nespecially for those who are least able to help themselves. HHS\xe2\x80\x99s programs are administered by\nits divisions. In addition to the services they deliver, the HHS programs enable the collection of\nnational health and other data.\n\n\n\n\nSecurity Controls Over HHS\xe2\x80\x99s Personal Identity Verification Systems (A-18-12-30410)                  1\n\x0cAt the beginning of our audit, the HHS Program Management Office (PMO) was responsible for\nimplementing and monitoring HSPD-12 systems. The PMO took a decentralized approach to\nimplementing the HSPD-12, providing the same guidance to the divisions but allowing each one\nto determine how it implemented the HSPD-12. During our audit, the overall responsibility for\nthe implementation and monitoring of the HSPD-12 was transitioning from the PMO to the\nOffice of Security and Strategic Information (OSSI).\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe evaluated the HHS implementation of the HSPD-12 and the security controls over a sample\nof its critical HSPD-12 systems to determine whether the guidance had been followed.\nSpecifically, we assessed (l) whether the HHS PIV card application and issuance processes were\neffective and complied with HHS guidance and regulations and (2) whether information security\ncontrols over critical HHS PIV systems complied with Federal information security standards.\n\nWe reviewed the following information technology (IT) security controls in effect as of August\n2012: security management, program and system-specific controls, encryption, change controls,\nWeb vulnerability management, and physical security. Appendix A contains a summary of our\naudit scope and methodology.\n\nRisk Level Definitions for Findings\n\nTo assign risk levels (i.e., High, Medium, Low) to our findings, we used the risk scale of the\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Guide\nfor Conducting Risk Assessments, Appendix D, which describes the need for corrective actions\nand the relative timeframes in which they must occur based on the levels of risk associated with\nsystem vulnerabilities.\n\nWHAT WE FOUND\n\nHHS did not always comply with Federal guidance when implementing its HSPD-12 system.\nSpecifically, security controls over the implementation of the HSPD-12 at HHS were inadequate\nbecause essential information security requirements were not implemented. We found six\ncategories of vulnerabilities:\n\n    \xe2\x80\xa2   Enrollment and issuance process\xe2\x80\x94The implementation of the HSPD-12 lacked\n        controls to ensure that all credentialing requirements were met and that training was\n        provided to employees who performed HSPD-12 roles. In addition, a standard had not\n        been established under which key roles had to be held by different employees to ensure\n        adequate separation of duties, and verify integrity of PIV credentials (high risk).\n\n    \xe2\x80\xa2   Deactivation of PIV cards\xe2\x80\x94PIV cards were not deactivated in a timely manner (high\n        risk).\n\n\n\n\nSecurity Controls Over HHS\xe2\x80\x99s Personal Identity Verification Systems (A-18-12-30410)                2\n\x0c    \xe2\x80\xa2   Security over system access\xe2\x80\x94The implementation of the HSPD-12 lacked controls to\n        ensure that management had implemented policies and procedures associated with access\n        to the PIV system and protection of sensitive system information (high risk).\n\n    \xe2\x80\xa2   Security management\xe2\x80\x94The data center facility\xe2\x80\x99s network firewall configuration\n        policies did not comply with HHS policy or guidelines. Also, security management\n        controls, including patch management, antivirus management, and configuration\n        management, were not implemented on HSPD-12 workstations at any of the division PIV\n        Card Issuance Facilities (PCIF) that we audited. HHS allowed nongovernmental\n        computers to connect to card management systems (high risk).\n\n    \xe2\x80\xa2   Physical security\xe2\x80\x94Physical security controls, which help ensure that physical access to\n        key areas within the PCIF is restricted to authorized personnel, were not adequate for the\n        PIV system (high risk).\n\n    \xe2\x80\xa2   Web vulnerabilities\xe2\x80\x94Vulnerabilities were identified in 17 categories on the HHS PIV\n        system Web portal test sites that were scanned (moderate risk).\n\nDue to the sensitive nature of the specific findings identified during our testing, only a summary\nof the findings are included in this report. We have provided more detailed, technical findings to\nHHS/OSSI.\n\nWHAT WE RECOMMEND\n\nWe recommend that HHS/OSSI implement essential security requirements in the areas of\nenrollment and issuance, deactivation of PIV cards, system access, security management,\nphysical security, and PIV Web portals.\n\nThis report summarizes our recommendations due to the sensitive nature of the information\ndiscussed. We have provided more detailed recommendations to HHS/OSSI.\n\nAUDITEE COMMENTS\n\nIn written comments on our draft report, OSSI concurred with 14 recommendations and did not\nconcur with 4 recommendations. Their comments also described the actions they will take to\nimplement our recommendations.\n\n\n\n\nSecurity Controls Over HHS\xe2\x80\x99s Personal Identity Verification Systems (A-18-12-30410)                  3\n\x0c                    APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe reviewed selected IT security controls in effect as of August 2012. These controls were\nsecurity management, program and system-specific controls, encryption, change controls, Web\nvulnerability management, and physical security. We performed our fieldwork from August\n2012 to March 2013 at select HHS PCIF locations.\n\nHSPD-12 security management did not permit us to complete vulnerability scans during the\naudit period. Therefore, we were unable to obtain sufficient evidence to determine whether the\nvulnerabilities we identified in the test environment were corrected in the production\nenvironment and that other more serious Web vulnerabilities did not exist. We also were unable\nto determine whether the vulnerabilities we identified in the test environment were remediated\nby corrective actions.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n    \xe2\x80\xa2   reviewed the HSPD-12 program policies and procedures;\n\n    \xe2\x80\xa2   interviewed the HSPD-12 program employees who were knowledgeable of the areas we\n        addressed;\n\n    \xe2\x80\xa2   assessed the HSPD-12 program\xe2\x80\x99s program and system-specific controls;\n\n    \xe2\x80\xa2   reviewed the HSPD-12 program\xe2\x80\x99s change controls;\n\n    \xe2\x80\xa2   judgmentally selected 50 PIV applicants at divisions to determine the following:\n\n            o whether PCIFs were screening applicant fingerprints before authorizing and\n              issuing PIV cards and\n\n            o whether PCIFs verified the existence and results of a background investigation for\n              each applicant before card issuance;\n\n    \xe2\x80\xa2   judgmentally selected eight role holders at divisions to determine whether training was\n        provided for all of the roles they held;\n\n    \xe2\x80\xa2   assessed the key system roles throughout the PIV card enrollment and issuance process to\n        determine whether there was separation of duties;\n\n    \xe2\x80\xa2   reviewed active accounts to determine whether PIV cards were deactivated in a timely\n        manner for terminated and separated personnel within the past year;\n\n\n\nSecurity Controls Over HHS\xe2\x80\x99s Personal Identity Verification Systems (A-18-12-30410)               4\n\x0c    \xe2\x80\xa2   assessed the HSPD-12 program\xe2\x80\x99s security management controls on PCIF workstations\n        and servers to include patch, antivirus, and configuration management to determine\n        whether they were implemented;\n\n    \xe2\x80\xa2   assessed the HSPD-12 program\xe2\x80\x99s physical security at select HHS PCIF locations;\n\n    \xe2\x80\xa2   reviewed the HSPD-12 program\xe2\x80\x99s Web vulnerability management and scanned two\n        HSPD-12 Web portal test sites; and\n\n    \xe2\x80\xa2   discussed our findings with division management.\n\nWe assigned risk levels to these vulnerabilities according to NIST Special Publication (SP)\n800-30, Guide for Conducting Risk Assessments.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\nSecurity Controls Over HHS\xe2\x80\x99s Personal Identity Verification Systems (A-18-12-30410)            5\n\x0c'